VulnCheck Exploit & Vulnerability Intelligence replaces the need to have separate scripts for downloading the NIST National Vulnerability Database (NVD), the CISA KEV catalog, etc. By integrating with VulnCheck Exploit & Vulnerability Intelligence, you're integrating with an Open Source Intelligence (OSINT) product that has best-in-class information, in a timely manner, on vulnerability exploitation and vulnerabilities generally.
Most importantly, unlike other purely vulnerability-centric solutions, VulnCheck marries exploit intelligence with vulnerability intelligence. By coupling exploit intelligence with vulnerability intelligence, better insights into vulnerability prioritization & remediation can be gained.
On the exploitation side, VulnCheck Exploit & Vulnerability Intelligence include a wide range of features designed to help understand the state of vulnerability exploitation. Such features include, but are not limited to:
The VulnCheck API makes it easy to get started with VulnCheck Exploit & Vulnerability Intelligence. To start, simply query the exploits index via the /v3/index/:index?cve=:cve API as follows:
curl --request GET \
--url https://api.vulncheck.com/v3/index/exploits?cve=CVE-2019-3396 \
--header 'Accept: application/json' \
--header 'Authorization: Bearer insert_token_here'
package main
import (
"encoding/json"
"fmt"
"log"
"github.com/vulncheck-oss/sdk-go"
)
func main() {
client := sdk.Connect("https://api.vulncheck.com", "insert_token_here")
response, err := client.GetIndexExploits(sdk.IndexQueryParameters{
Cve: "CVE-2019-3396",
})
if err != nil {
panic(err)
}
prettyJSON, err := json.MarshalIndent(response.Data, "", " ")
if err != nil {
log.Fatalf("Failed to generate JSON: %v", err)
return
}
fmt.Println(string(prettyJSON))
}
import vulncheck_sdk
configuration = vulncheck_sdk.Configuration(host="https://api.vulncheck.com/v3")
configuration.api_key["Bearer"] = "insert_token_here"
with vulncheck_sdk.ApiClient(configuration) as api_client:
indices_client = vulncheck_sdk.IndicesApi(api_client)
api_response = indices_client.index_exploits_get(cve="CVE-2019-3396")
print(api_response.data)
vulncheck index browse exploits --cve CVE-2019-3396
The above example searches the exploits index for information on CVE-2019-3396.
After calling the /v3/index/exploits?cve=:cve API endpoint with a valid CVE identifier, a response similar to the below will be returned:
{
"_benchmark": 0.055187,
"_meta": {
"index": "exploits",
// ...
},
"data": [
{
"id": "CVE-2019-3396",
"public_exploit_found": true,
"commercial_exploit_found": true,
"weaponized_exploit_found": true,
"max_exploit_maturity": "weaponized",
"reported_exploited": true,
"reported_exploited_by_threat_actors": true,
"reported_exploited_by_ransomware": true,
"reported_exploited_by_botnets": true,
"inKEV": true,
"timeline": {
"nvd_published": "2019-03-25T19:29:00Z",
"nvd_last_modified": "2021-12-13T16:05:00Z",
"first_exploit_published": "2019-03-25T00:00:00Z",
"first_exploit_published_weaponized_or_higher": "2019-04-11T00:00:00Z",
"most_recent_exploit_published": "2021-05-01T02:10:04Z",
"first_reported_threat_actor": "2019-08-19T00:00:00Z",
"most_recent_reported_threat_actor": "2021-01-01T00:00:00Z",
"first_reported_ransomware": "2019-04-23T00:00:00Z",
"most_recent_reported_ransomware": "2022-06-22T00:00:00Z",
"first_reported_botnet": "2019-04-26T00:00:00Z",
"most_recent_reported_botnet": "2022-04-27T00:00:00Z",
"cisa_kev_date_added": "2021-11-03T00:00:00Z",
"cisa_kev_date_due": "2022-05-03T00:00:00Z"
},
"trending": {
"github": false
},
"epss": {
"epss_score": 0.97498,
"epss_percentile": 0.9996,
"last_modified": "2023-08-15T13:49:54.769353Z"
},
"counts": {
"exploits": 22,
"threat_actors": 3,
"botnets": 3,
"ransomware_families": 4
},
"exploits": [
{
"url": "https://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html",
"name": "Atlassian Confluence 6.12.1 Template Injection",
"refsource": "packetstorm",
"date_added": "2021-01-22T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html",
"name": "Atlassian Confluence Widget Connector Macro Velocity Template Injection",
"refsource": "packetstorm",
"date_added": "2019-04-18T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
}
// ...
],
"reported_exploitation": [
{
"url": "https://cisa.gov/news-events/cybersecurity-advisories/aa21-209a",
"name": "Top Routinely Exploited Vulnerabilities",
"refsource": "cisa-alerts",
"date_added": "2021-08-20T00:00:00Z"
},
{
"url": "https://us-cert.cisa.gov/ncas/alerts/aa20-275a",
"name": "Potential for China Cyber Response to Heightened U.S.–China Tensions",
"refsource": "cisa-alerts",
"date_added": "2020-10-20T00:00:00Z"
}
// ...
]
}
]
}
The above example response shows what the
exploitsindex returns forCVE-2019-3396.
| Attribute | Meaning |
|---|---|
| id | CVE ID |
| public_exploit_found | A public exploit has been discovered |
| commercial_exploit_found | A commercial exploit is privately for sale as part of a commercial offering |
| weaponized_exploit_found | Weaponized refers to an exploit that is explicitly malicious, such as cases where the exploit is contained within malware (e.g., a malicious Microsoft Word document), has been reported as exploited in the wild, or facilitates "point & click" exploitation (e.g., works against all or most targets and works reliably, such as exploits in MetaSploit, VulnCheck Initial Access Intelligence, CANVAS, or Core Impact). Additionally, weaponized exploits typically have secondary payloads, droppers, or implants. |
| reported_exploited | Reported Exploitation has been confirmed and the vulnerability is known to be exploited / exploited in the wild. |
| reported_exploited_by_threat_actors | A threat actor has been attributed with the vulnerability. |
| reported_exploited_by_ransomware | The vulnerability has been used in a ransomware campaign. |
| reported_exploited_by_botnets | One or more Botnets has been attributed to the vulnerability. |
| inKEV | Is included in the CISA KEV (Known Exploited Vulnerabilities) catalog. |
| inVCKEV | Is included in the VulnCheck KEV (Known Exploited Vulnerabilities) catalog. |
| max_exploit_maturity | Meaning |
|---|---|
| Weaponized | Weaponized refers to an exploit that is explicitly malicious, such as cases where the exploit is contained within malware (e.g., a malicious Microsoft Word document), has been reported as exploited in the wild, or facilitates "point & click" exploitation (e.g., works against all or most targets and works reliably, such as exploits in MetaSploit, VulnCheck Initial Access Intelligence, CANVAS, or Core Impact). Additionally, weaponized exploits typically have secondary payloads, droppers, or implants. |
| POC | "POC" (proof of concept), is currently anything that can be used to demonstrate exploitation. This can be a blog post, a curl request, a python script, etc. |
| Timeline Attribute | Meaning |
|---|---|
| nvd_published | When NVD Published the vulnerability. |
| nvd_last_modified | When NVD last modified the vulnerability |
| first_exploit_published | When the first exploit was published |
| first_exploit_published_weaponized_or_higher | When the first weaponized exploit or exploitation evidence was available. |
| most_recent_exploit_published | When the last exploit was published |
| first_reported_threat_actor | When the first threat actor was reported |
| most_recent_reported_threat_actor | When the most recent threat actor was reported |
| first_reported_ransomware | When ransomware was first reported |
| most_recent_reported_ransomware | When ransomware was most recently reported |
| first_reported_botnet | When a botnet was first reported |
| most_recent_reported_botnet | When a botnet was most recently reported |
| cisa_kev_date_added | When the CVE was added to CISA KEV |
| cisa_kev_date_due | CISA KEVs due date |
| vulncheck_kev_date_added | When first known exploitation was reported |
* timeline attributes are omitted if there is no evidence or a null date present.
| EPSS Attribute | Meaning |
|---|---|
| epss_score | The EPSS score |
| epss_precentile | The EPSS percentile |
| Counts Attribute | Meaning |
|---|---|
| exploits | The total number of exploits discovered. |
| threat_actors | The total number of threat actors attributed. |
| botnets | The total number of botnets attributed. |
| ransomware | The total number of ransomware campaigns using the vulnerability. |
VulnCheck Exploit & Vulnerability Intelligence maintains a Exploit Type field in the block of exploits that are indexed. The Exploit Type field helps distinguish between high impact exploits, like initial access exploits, and lower impact exploits, like denial of service exploits.
| Exploit Type | Meaning |
|---|---|
| Initial Access | Initial Access exploits are typically the most high impact exploit published. These vulnerabilities, also sometimes referred to as Remote Code Execution (RCE) vulnerabilities, are remote in nature, and typically do not require credentials to exploit. |
| Remote with credentials | Remote with credentials exploits are exploits that are remote, typically targeting network-bound applications, but require credentials to exploit. |
| Local | Examples of local exploits include those targeting setuid binaries on Linux. |
| Client-side | Examples of client-side exploits include those targeting client applications, such as Microsoft Word or Excel. |
| Infoleak | Infoleak exploits leak data from a target, without compromising the integrity of such a target. |
| Denial of Service | Denial of Service exploits typically cause a service or application to crash. Note: Often a denial-of-service exploit targets an initial-access vulnerability, prior to an initial-access exploit being posted. |